Closed Bug 2016272 Opened 4 months ago Closed 4 months ago

Assertion failure: !JS_IsExceptionPending(cx_), at vm/JSContext.h:1200

Categories

(Core :: JavaScript: WebAssembly, defect)

All
Linux
defect

Tracking

()

RESOLVED FIXED
149 Branch
Tracking Status
firefox-esr140 --- unaffected
firefox147 --- unaffected
firefox148 --- unaffected
firefox149 --- fixed

People

(Reporter: gkw, Assigned: canova)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(3 files)

Attached file debug stack
enableGeckoProfilingWithSlowAssertions();
function f() {
  class C {
    static #c;
  }
  (function() {
    "".substring("");
    return [];
  })();
  oomTest(f);
}
f();
(gdb) bt
#0  0x00005555585f4dc8 in MOZ_CrashSequence (aAddress=0x0, aLine=1654)
    at /home/msf2/shell-cache/js-dbg-64-linux-x86_64-036b98bf5ed3-607862/objdir-js/dist/include/mozilla/Assertions.h:237
#1  js::AutoUnsafeCallWithABI::AutoUnsafeCallWithABI (this=0x7fffffffb0d0, strictness=js::NoExceptions) at /home/msf2/trees/firefox/js/src/vm/JSContext.cpp:1654
#2  0x0000555557c7a7b6 in js::jit::AssertValidObjectPtr (cx=0x7ffff5e38200, obj=0x3ce24ad04c10) at /home/msf2/trees/firefox/js/src/jit/VMFunctions.cpp:1417
#3  0x000033980f32a616 in ?? ()
#4  0x00003ce24ad04c10 in ?? ()
#5  0x00007fffffffb138 in ?? ()
/snip
031036eafd79-606748
031036eafd79d2c574dd7dde2581d7d7a646a777 is the first interesting commit
commit 031036eafd79d2c574dd7dde2581d7d7a646a777
Author: Nazım Can Altınova
Date:   Wed Feb 4 14:05:50 2026 +0000

    Bug 1441689 - Add JitCodeAPI back to PerfSpewer r=denispal

    This partially reverts commit b62582b (D226645) and removes some unused
    parts of it with minor code changes.

    This API will be used by the profiler in the later patches to fetch the
    line and column numbers for the JIT frames.

    Co-authored-by: Denis Palmeiro <dpalmeiro@mozilla.com>

    Differential Revision: https://phabricator.services.mozilla.com/D276662

Run with --fuzzing-safe --ion-eager, compile with AR=ar sh ~/trees/firefox/js/src/configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on gh rev 036b98bf5ed3e11e8ca16a178a9357675ae15e1b.

Note that this testcase is intermittent but fairly reliable.

Nazim, is bug 1441689 a likely regressor?

Flags: needinfo?(canaltinova)

When the testcase intermittently does not show the assertion failure, the following message is shown:

Warning: Disabling PerfSpewer.

but without a trailing newline. Can an additional patch please add one, just like most other warnings?

Set release status flags based on info from the regressing bug 1441689

Assignee: nobody → canaltinova
Status: NEW → ASSIGNED

Thanks for the report! It looks like we are trying to allocate a string for the function name and if it OOMs we add an exception. We can clear that exception since it's internal to PerfSpewer.

:gkw, Could you confirm if the patch above fixes the crash?

Flags: needinfo?(canaltinova) → needinfo?(nth10sd)

Yes, it does seem to fix the issue for now!

Flags: needinfo?(nth10sd) → needinfo?(canaltinova)

Great, thanks!

Flags: needinfo?(canaltinova)
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 149 Branch
QA Whiteboard: [qa-triage-done-c150/b149]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: